Opened 6 years ago

Closed 6 years ago

#7053 closed Task/To do item (fixed)

Check that server can accept remote/non-local connections & check port 3306

Reported by: racheljdaniell@… Owned by: https://id.mayfirst.org/ross
Priority: Medium Component: Tech
Keywords: odbc mysql-connection foucault.mayfirst.org Cc: epaul@…
Sensitive: no

Description

Hello lovely May First folks,

I'm working with The New Press (who is a May First member) on some updates to their systems. One of the things we're doing is having their local/in-house FileMaker database connect to a MySQL database on their (new/in-development) website server to push some data from FileMaker out to the MySQL tables that can then be used in various ways on their new website.

I'm getting error messages when I try to set up the DSN to connect from the in-house server to the website server. When you have a chance, we need to have the New Press's (new) website server checked to see:

(1) if the port 3306 is open/no firewall blocks that would interfere, and, (2) if it is configured to allow remote network/non-local connections (we could restrict this to the particular IP of the FileMaker Server, if that's preferable)

Let me know if you need any further information (IP addresses/etc.) to look into this.

thanks all, Rachel

Rachel Daniell

Change History (8)

comment:1 Changed 6 years ago by https://id.mayfirst.org/dkg

  • Keywords odbc mysql-connection foucault.mayfirst.org added; ODBC connection removed

i think you're asking about foucault.mayfirst.org. mysqld on foucault is not currently configured to listen on the external IP address.

Assuming you have ssh access configured to foucault, one possibility is to have your in-house FileMaker database connect via an SSH tunnel. That is, you would set up a dedicated SSH connection between the machine that needs filemaker access and foucault, and use it to forward your machine's loopback port 3306 to foucault's loopback port 3306. Then configure filemaker's ODBC connector to point to the local machine.

Taking this approach requires no reconfiguration of foucault, and has some nice additional properties:

  • it does not open up your database to probes from other machines on the network.
  • all traffic is encrypted, so that if you are pushing sensitive data over the connection, it will not leak to anyone observing the traffic.

If we were to open foucault to external connections (i don't know what the common policy is on that within MF/PL), i recommend limiting it to only accept from certain remote IP addresses, to ensure that TLS is enabled (and required), to ensure that the client requires TLS and has a cached certificate for foucault and won't accept connections if the peer responds with a different cert+key.

I think the ssh tunnel is probably easier :)

comment:2 Changed 6 years ago by https://id.mayfirst.org/ross

  • Owner set to https://id.mayfirst.org/dkg
  • Status changed from new to assigned

comment:3 Changed 6 years ago by https://id.mayfirst.org/dkg

  • Owner https://id.mayfirst.org/dkg deleted

Sorry, i don't have the time to work on this further right now :(

comment:4 follow-up: Changed 6 years ago by https://id.mayfirst.org/thenewpress

Yes, that's the server we're using.

I'm open to trying the SSH option, but I would need more detailed advice on how to set it up since that configuration is not in the standard FileMaker ESS/ODBC setup documentation I'm working from.

However, if the external connections could just be restricted to our server's IP address, and if that would solve the issue you raise about probes from other machines on the network, that would also work fine for our needs. There is no concern for us with the second issue you raised, that the data being sent over is confidential -- all the data we will be sending is web marketing/book info approved to go public within FileMaker before it would be sent to the web. It is essentially an online catalog.

We're also open to other ways of doing this. For this project, we just need to push data out in one direction -- from FileMaker Server to the website server. But we do need to ensure that it is automated and that it happens on a regular basis. If there are other methods you recommend we explore, we'd be interested in hearing about them.

Meanwhile, if it's possible, we would like to talk to someone this week about the next steps on this -- whether implementing the SSH option or opening a remote connection possibility from a specific IP (or other methods). We sent an email to Ross requesting a call but could speak to whoever has time to take this on.

many thanks for your help and your quick response! best, Rachel

comment:5 in reply to: ↑ 4 Changed 6 years ago by https://id.mayfirst.org/dkg

Replying to https://id.mayfirst.org/thenewpress:

However, if the external connections could just be restricted to our server's IP address, and if that would solve the issue you raise about probes from other machines on the network, that would also work fine for our needs. There is no concern for us with the second issue you raised, that the data being sent over is confidential -- all the data we will be sending is web marketing/book info approved to go public within FileMaker before it would be sent to the web. It is essentially an online catalog.

I hear where you're coming from about this, but i think you might be overlooking one part of the communication that is actually confidential: your system's authentication credentials to the MySQL server. if you're not using an encrypted tunnel, then those credentials will leak to anyone observing the traffic. Presumably, those credentials are sufficient to authorize write access to parts of your web site to anyone who can get access to the database.

You don't mention what operating system your filemaker server is running, so it's difficult for me to point you to specific instructions to set up an ssh tunnel. can you provide more details about the server?

comment:6 Changed 6 years ago by https://id.mayfirst.org/thenewpress

That's a good point. And we're happy to go with the SSH option. I just need to make sure it will function the same way for FileMaker's remote data configuration.

The in-house server is running Windows 2008 Server (Standard), service pack 1. It's running FileMaker Server Advanced 12.

Also, Dan O'Brien is the person supporting The New Press's IT/network, just FYI, and would have more detailed info on the server setup.

Let me (or Dan) know if any other info is needed to determine the specific instructions.

comment:7 Changed 6 years ago by https://id.mayfirst.org/ross

  • Owner set to https://id.mayfirst.org/ross

The process for configuring an ssh tunnel for mysql is outlined here:

http://toic.org/blog/2010/ssh-port-forwarding/

This will not work exactly for you Windows machine, but you can follow these instructions for a tunnel using windows and putty:

https://howto.ccs.neu.edu/howto/windows/ssh-port-tunneling-with-putty/

FileMaker is proprietary software that we do not support. I'm not sure how you can configure that, but if you have the ssh tunnel setup the host should be 127.0.0.1 with mysql username and password. The ssh tunnel will login to the thenewpress@julia.mayfirst.org

hth,

~/ross

comment:8 Changed 6 years ago by https://id.mayfirst.org/ross

  • Resolution set to fixed
  • Status changed from assigned to closed

I think this has been resolved based on conversations outside this ticket.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.